Posted January 19, 20187 yr Hi Maybe help someone to create custom loaders ! BR, h4sh3m x64_Simple_Loader_Delphi.rar
January 31, 20187 yr Hi, Instead of using this function, we can't grab imagebase from PEB? Actually I don't have a x64 system at this time. function GetModuleImageBase(PID : NativeUInt; Module : string):NativeUInt; var ModuleSnap: THandle; ModuleEntry32: TModuleEntry32; More: Boolean; ImageBase: Pointer; s : string; begin Result := 0; try ModuleSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); if ModuleSnap = NativeUInt(-1) then begin messagebox(0, 'Can''t Read Process Memory', 'Error', mb_iconerror); Exit; end; ModuleEntry32.dwSize := SizeOf(ModuleEntry32); More := Module32First(ModuleSnap, ModuleEntry32); while More do begin ImageBase := ModuleEntry32.modBaseAddr; s := extractfilename(StrPas(ModuleEntry32.szExePath)); s := LowerCase(s); if s = LowerCase(Module) then begin Result := integer(ImageBase); break; end; More := Module32Next(ModuleSnap, ModuleEntry32); end; finally CloseHandle(ModuleSnap); end; end;
February 8, 20187 yr Author Hi @GautamGreat, As I said this is simple loader, You can do this with PEB but I'm not tested it ! BR, h4sh3m Edited May 31, 20205 yr by h4sh3m
June 10, 20187 yr @h4sh3m by compiling your loader i get error if i comment this i get next error Edited June 10, 20187 yr by xxx22xxx
June 10, 20187 yr Author Hi Which compiler you're using, with this code you can't patch x64 target via x86 loader?! After all you can change "CreateProcess" -> "CreateProcessW" and "w : DWORD" -> "w : NativeUInt". Best Regards, h4sh3m Edited June 10, 20187 yr by h4sh3m
June 10, 20187 yr @h4sh3m Thanks already solved it , i have used Delphi 7 Lite Full Edition now have installed Rad Studio XE2 and it work ! but have a question , this laoder will be work example to patch Adobe x64 bit soft? or it will not work like say GautamGreat ??
June 10, 20187 yr Author If you patch right place it will work It's depends on you (and/or your target), if your target protected maybe it will fail because of several reasons like: detecting debugger(I'm not sure used debug flag or not but some protectors (and some handy way ) checks parent process to detect !), memory protection(checksum), ... you can use proxy method too for this purpose .
Create an account or sign in to comment